S0583: Pysa
Analyst context for executives and security teams
Pysa is a Windows ransomware entry in ATT&CK associated with high-value finance, government, and healthcare targeting. Its practical significance is not just encryption: the related behaviors show a ransomware intrusion path that can involve credential access, discovery, lateral movement over RDP, service-based execution, defense impairment, recovery inhibition, and final data encryption. Leaders should treat this as a test case for whether identity controls, endpoint visibility, backup resilience, and incident response decisions hold up before business operations are interrupted.
Executive priority
Prioritize Pysa as an operational resilience and ransomware-readiness scenario. The ATT&CK relationships point to controls that often decide business impact: protection of Windows credentials such as LSASS material, restriction and monitoring of RDP, detection of PowerShell and service execution, protection of security tooling, and recovery controls that cannot be easily disabled. For regulated or high-availability environments, this behavior is also useful for audit evidence: prove that logging, privileged access controls, backup recovery, and incident escalation are tested against ransomware techniques rather than documented only as policy.
Technical view
Validate coverage on Windows endpoints for the related techniques: LSASS memory access, brute force activity, credentials stored in files, PowerShell and Python execution, RDP lateral movement, service execution, registry modification, file deletion, security tool tampering, service stopping, recovery inhibition, and data encryption for impact. Because the object has no official ATT&CK detection text, SOC teams should map detections to the related techniques and confirm telemetry exists before assuming coverage. IR teams should prepare triage paths that connect credential theft, RDP movement, defense impairment, backup interference, and encryption activity into one incident timeline.
Likely telemetry
- Windows endpoint process creation and command-line logging
- PowerShell execution logs and script block/module logging where available
- Authentication logs for failed and successful logons, especially RDP-related activity
- Windows service creation, modification, stop, and execution events
- Registry modification telemetry
Detection direction
- Build detection around the ATT&CK relationships rather than the malware name alone, since no official detection guidance is supplied.
- Correlate credential-access signals with subsequent RDP logons, service execution, and discovery to reduce single-event false positives.
- Tune PowerShell, Python, registry, and service-control detections for administrative baselines; many commands can be legitimate but become higher priority when chained with ransomware-impact behaviors.
- Validate alerting for security tool disablement or modification, because defense impairment can create a visibility gap before encryption.
- Confirm that recovery-inhibition and service-stop events are monitored as high-severity precursors to business disruption, not only as post-encryption artifacts.
Mitigation priorities
- Harden privileged access and credential exposure first, including controls that reduce access to LSASS material and insecure credentials in files.
- Restrict, monitor, and justify RDP usage; require strong authentication and limit lateral movement paths where operationally feasible.
- Constrain scripting and service execution through least privilege, application control, and administrative workflow review.
- Protect endpoint, logging, and security tools from tampering and monitor their health continuously.
- Test backup and recovery processes against attempts to inhibit recovery, including restoration from protected or offline backups.
Analyst notes and limits
The supplied object identifies Pysa as Windows ransomware first used in October 2018 and seen targeting high-value finance, government, and healthcare organizations. The most useful defensive value comes from the related ATT&CK techniques, which outline a ransomware-relevant chain from credential access and discovery through lateral movement, execution, defense impairment, recovery inhibition, and encryption.
ATT&CK provides no official detection text for this object, and the malware object itself lists Windows as the platform with no tactics specified. Some related techniques have broader platform metadata, but that should not be interpreted as Pysa platform coverage beyond the supplied malware platform. Local telemetry, architecture, and business process evidence are required to determine actual exposure or detection coverage.
Pysa
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | Pysa can perform network reconnaissance using the Advanced IP Scanner tool.CitationCERT-FR PYSA April 2020 |
| Enterprise | T1059.006 | Python Sub-technique | Pysa has used Python scripts to deploy ransomware.CitationCERT-FR PYSA April 2020 |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | Pysa has extracted credentials from the password database before encrypting the files.CitationCERT-FR PYSA April 2020 |
| Enterprise | T1685 | Disable or Modify Tools | Pysa has the capability to stop antivirus services and disable Windows Defender.CitationCERT-FR PYSA April 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Pysa has used Powershell scripts to deploy its ransomware.CitationCERT-FR PYSA April 2020 |
| Enterprise | T1486 | Data Encrypted for Impact | Pysa has used RSA and AES-CBC encryption algorithm to encrypt a list of targeted file extensions.CitationCERT-FR PYSA April 2020 |
| Enterprise | T1112 | Modify Registry | Pysa has modified the registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” and added the ransom note.CitationCERT-FR PYSA April 2020 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Pysa has laterally moved using RDP connections.CitationCERT-FR PYSA April 2020 |
| Enterprise | T1569.002 | Service Execution Sub-technique | |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1489 | Service Stop | Pysa can stop services and processes.CitationCERT-FR PYSA April 2020 |
| Enterprise | T1490 | Inhibit System Recovery | Pysa has the functionality to delete shadow copies.CitationCERT-FR PYSA April 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Pysa has executed a malicious executable by naming it svchost.exe.CitationCERT-FR PYSA April 2020 |
| Enterprise | T1110 | Brute Force | Pysa has used brute force attempts against a central management console, as well as some Active Directory accounts.CitationCERT-FR PYSA April 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Pysa has deleted batch files after execution. CitationCERT-FR PYSA April 2020 |
| Enterprise | T1046 | Network Service Discovery | Pysa can perform network reconnaissance using the Advanced Port Scanner tool.CitationCERT-FR PYSA April 2020 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1d1d5fc99526… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CERT-FR PYSA April 2020
CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
Open source URL -
[2]
DFIR Pysa Nov 2020
THe DFIR Report. (2020, November 23). PYSA/Mespinoza Ransomware. Retrieved March 17, 2021.
Open source URL -
[3]
Mespinoza
(Citation: CERT-FR PYSA April 2020)(Citation: DFIR Pysa Nov 2020)(Citation: NHS Digital Pysa Oct 2020)
-
[4]
NHS Digital Pysa Oct 2020
NHS Digital. (2020, October 10). Pysa Ransomware: Another 'big-game hunter' ransomware. Retrieved March 17, 2021.
Open source URL -
[5]
Pysa
(Citation: CERT-FR PYSA April 2020)(Citation: DFIR Pysa Nov 2020)(Citation: NHS Digital Pysa Oct 2020)
-
[6]
mitre-attack S0583Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.